| Author |
Topic |
|
apurvajain
Starting Member
4 Posts |
 Posted - 2009-05-28 : 00:49:32
|
I have hosted an asp.net website (that is publicly available) on a server with connectivity to MS SQL 2005 as the database.Recently somebody attacked the database by inserting a script in all the varchar and text fields of the database which lead to a corrupted database. Are there any means to avoid this situation?Some additional information:My web site and the database are hosted on the same server with the same IP address.The database currently being used has a customized username/password which is accessed through the connection string in the web.config of the website.Please suggest how can I make my database secure from such a hack in the future?  Thanks in advance.ApurvaSuccess is the ability to go from one failure to another with no loss of enthusiasm |
|
|
jezemine
Master Smack Fu Yak Hacker
2886 Posts |
Posted - 2009-05-28 : 01:22:27
|
probably you are a victim of a sql injection attack. does your site construct SQL statements from user input using string concatenation, and then execute the SQL? if so you are vulnerable.
elsasoft.org |
 |
|
|
apurvajain
Starting Member
4 Posts |
Posted - 2009-05-31 : 23:29:23
|
| WE have implemented checks against SQL injection. And no where do we create concatenated queries. We have made sure that we use parameterized stored procedures every where. Is there any other way that a SQL injection attack could have happened? Or are there any other possibilities that have caused this issue?Please suggest and guide....Success is the ability to go from one failure to another with no loss of enthusiasm |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2009-06-01 : 03:41:37
|
| Dynamic SQL that's not parameterised?Calls the the procedures that don't use the parameters collection?What you describe there is a classic automated SQL injection attack. Somewhere there's vulnerable code. If just has to be one place, one input that's coded wrong.--Gail ShawSQL Server MVP |
|
|
|
apurvajain
Starting Member
4 Posts |
Posted - 2009-06-01 : 04:58:52
|
| Hi,We have implemented code to handle SQL Injection.We use only parameterized stored procedures for all operations of the database.Also, the places where we have had to implement Dynamic SQL, we are executing the query through sp_executesql. (This we verified by trying to execute malicious code through the sp)Despite all these measures, is it possible that somebody can gain access to my database and run a malicious script?Success is the ability to go from one failure to another with no loss of enthusiasm |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2009-06-01 : 05:59:43
|
| Is there another app using the same database? Are you sure that there's not one spot that's coded wrong?Can you post a sample of how you're calling procedures and how you're executing dynamic SQL?--Gail ShawSQL Server MVP |
|
|
|
apurvajain
Starting Member
4 Posts |
Posted - 2009-06-01 : 06:18:58
|
| A web service accesses the same database. However the method exposed is that of authenticating the user.Example of a call to a SP: Insertdata(strProcName, strParamNM, enumType, objValue);here strProcName = name of procedure strParamNM = list of variable names enumType = type of db variables objValue = the actual valuesExample of executing Dynamic SQL:EXEC sp_executesql @Query ,@paramlist, @TributeName_I,@Country_I,@State_I,@City_I,@CreatedBefore_I,@CreatedAfter_I, @TributeType_I, @TributeTypeCode Here @Query ,@paramlist, @TributeName_I,@Country_I,@State_I,@City_I,@CreatedBefore_I,@CreatedAfter_I, @TributeType_I, @TributeTypeCode are all variables defined in the SP some of which get their value from the front end.Also, all procedures that make an insert, update or delete in the database, also update the modified date field. is there some way by which some body can directly access the database?Success is the ability to go from one failure to another with no loss of enthusiasm |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2009-06-01 : 09:58:32
|
| What does Insertdata do and what does @query look like and how is it constructed?As for accessing the database, either via SQL injection or they've got a username/password for the server.--Gail ShawSQL Server MVP |
|
|
|
|
Corrupted database